This post demonstrates how to exploit a simple uninitialised stack variable in the Linux Kernel. I’ll start by examining the vulnerability (again this is part of the intentionally vulnerable driver I’ve been writing), and then explore how we can go about exploiting it.

The Vulnerable Code

The code I added to include this vulnerability exposes 2 new IOCTL’s to the driver:

Continuing with my research into Linux kernel exploit dev, I decided to try an exploit that doesn’t involve gaining code execution. The following is a short demonstration of escalating a processes privileges due to an arbitrary read/write vulnerability in the kernel.

To exploit this vulnerability there are a few protection mechanisms we need to bypass. To begin, it should be noted that for this exploit I am using Ubuntu 16.04.01, Linux kernel 4.8.0. This system is being run as a virtual machine through VMWare, with hardware.version set to 12. What all of this means is that in order to get root, we need to bypass SMEP (available in VMWare when hardware.version is set to 12) and KASLR.

Recently I’ve become increasingly interested in kernel exploit development. One of my main barriers in this field is that fact I have very little development experience in kernel space. I therefore decided to go back to how I started in exploit dev, learn how to build it so I can learn how to break it.

To that end, I started writing an intentionally vulnerable Linux driver (based off the same idea as the HackSys Windows driver). The logic is simple, write a vulnerability into the module of a specific class (ie buffer overflow, UaF etc), and then learn how to exploit it. I decided to start with a use after free vulnerability, I chose this because it would force me to learn about kernel space heap spraying, memory management and so on.

How I got Started

I wouldn’t say I’m your typical “hacker”, I wasn’t really into computers when I was younger, only learnt to code a few years ago and was pretty late getting myself to uni (not that you have to get a degree to get into security).

I was really just looking for a career change after several years in the military, I’d had enough of that lifestyle and needed something different – but equally challenging. I can’t remember exactly where it all started, but I do recall seeing an advert for codeacademy and thinking “it can’t hurt to learn that”, I was pretty much instantly hooked.